Costly Service Provider Mistakes for Investment Advisors

Investment Advisors: Don’t Make These Expensive Outsourcing Mistakes with Service Providers

Your firm outsources to service providers to help you run a more efficient practice. But what happens when a service provider harms your business?  

It’s more common than you think – and the costs of a vendor mistake can be shockingly high. From software outages that frustrate clients to inept providers that lose data, the wealth management industry is filled with horror stories. 

But it doesn’t have to be this way. A strong service provider program can help protect your investment management firm from costly service provider errors and excessive expenses.  

What can go wrong? Here are five ways outsourced service providers (aka vendors) can cost your business – and what you can do to prevent it.

1. Unanticipated expenses

Comerica Bank’s wealth management division switched wealth management platforms in May 2023 – only to have the new platform cause transaction errors for trust clients, according to The Wall Street Journal. Some transactions went through multiple times, while others didn’t go through at all. Comerica reported that any money that couldn’t be tracked down would have to be written off – at least $500,000 so far. 

In addition to write-offs, the firm also hired auditors from PWC to help sort out the matter, a significant expense considering the auditors were still at the bank six months later. Regulators are investigating the issue. 

Where did Comerica go wrong? According to The Wall Street Journal, it ignored red flags during the due diligence phase. Staff pointed out repeated problems during test runs and warned the program wasn’t ready.  

There’s no shortage of service providers. Selecting the best fit for your investment management firm is a matter of understanding the market, seeking referrals, and undertaking thorough due diligence. This will prepare you for any direct or indirect costs associated with outsourcing.

2. Unqualified service providers

When Morgan Stanley’s wealth management arm shut down several data centers in 2016, it hired a service provider to remove legally protected customer data from old computer devices. The contracted service provider turned around and sold the original contract to an unauthorized (and entirely unqualified) service provider, who inevitably failed to remove the data, exposing clients’ personally identifiable information (PII). 

What happened next? Morgan Stanley paid more than $100 million in penalties to the Securities and Exchange Commission (SEC), the Office of the Comptroller of the Currency, and several state attorneys general in addition to settling customer lawsuits because of the incident. The company also had to fortify its third-party risk management program. 

Where did Morgan Stanley go wrong? Unless there’s specific language in your contract forbidding it, service providers pretty much have free rein to sell your contract to any subcontractor, including those who are completely unqualified to do the job. 

Imagine the following scenario: your firm enters a three-year agreement with an index provider. Twelve months into your relationship, it outsources your contract to a newly minted fintech that builds bespoke indexes but doesn’t devote sufficient resources to cybersecurity. 

The fintech suffers a data breach, and your clients’ information leaks. Suddenly, you’re facing lawsuits and regulatory penalties because you failed to address the assignment clause in the contract. 

Make sure any outsourcing contract your firm signs include a notice of consent preventing service providers from selling your contract or outsourcing functions to a subcontractor without your permission. This gives you time to perform due diligence on subcontractors handling critical functions. 

At a minimum, you should insist on language that stipulates any subcontractor be as qualified and competent as your original provider. 

While the SEC has proposed an outsourcing rule that would require investment advisors to ask more questions about service providers’ subcontractor agreements, advisors should already be asking these questions. It's too risky and expensive not to.

Related: Third-Party Vendors: 10 High-Risk Situations

3. Data Breaches

Data breaches cost companies an average of $4.45 million per incident, according to a recent report by IBM. Even if your investment management firm is doing everything to protect client information from data breaches, are you confident that your service providers are doing the same? 

From California to Canada, investment advisory firms have found themselves on the hook for service providers’ lax cybersecurity controls (i.e. the processes or mechanisms used to mitigate risk) and reporting. When the company behind a popular back-office software program used by investment advisors to print and deliver client materials experienced a hack in 2023, it was months before advisors knew the extent of the damage to their clients. (The PII of an undisclosed number of clients was exposed.) 

While service provider contracts should contain cyber liability insurance, the amount of coverage varies by provider. Insurance offers some protection from third-party cyber incidents, but investment advisors must also be proactive in monitoring their service providers’ cyber controls to avoid reputational and financial harm.

Continuous service provider cyber monitoring is the best bet for RIAs and broker-dealers who want to limit the liability of costly third-party data breaches.

4. Service disruptions and outages

Imagine if your clients couldn’t access their accounts or withdraw money online for weeks. It would probably upend your practice. You'd get a lot of angry phone calls. But it can and does happen. 

Over 45,000 wealth management clients in Australia found themselves in that situation when a security incident at a third party caused an “extended outage” that lasted weeks. The problem stemmed from unauthorized access to the firm’s “registry provider’s system,” which is the system used to maintain records about investors for compliance purposes.  

It’s unclear if there will be any consequences for the registry provider.  

In addition to ensuring third-party vendors have strong cybersecurity controls, wealth management firms need to establish agreed-upon performance standards and benchmarks for service providers. Tying these performance standards to economic consequences if a service provider fails to meet expectations is critically important. Service providers will be less incentivized to fulfill their obligations without a financial penalty attached. 

Service providers will gladly agree to reperform a function when they fail, but your investment management firm may have already suffered significant monetary or reputation losses at this point. Holding service providers financially accountable for mistakes is a necessary first step. 

The second step is to monitor service providers for any lapses, paying attention to service provider reports and reports generated by third-party audits (SOC 2 reports). Investment management firms also want to retain the right to audit service providers. Ideally, you should be able to trust the reports from your service provider – and in most cases, you can. Audit rights simply give you an additional tool in your service provider management arsenal. 

Preventing potential issues with service providers through monitoring and regular third-party risk assessments is a far better strategy than waiting until something goes wrong.

5. Loss of Clients

When a client of Lincoln Financial discovered that her name, Social Security number, date of birth, and address popped up during a simple Google search, she grew concerned. 

When she found out her data leaked due to a breach at a well-known customer relationship management provider under contract with Lincoln Financial, she fired her advisor.  

The advisor didn’t know what hit him: the provider had failed to disclose the breach. 

Losing clients is never a good thing, but when investment advisors lose clients because of service provider mistakes, it’s even worse. At least, it feels worse. 

Advisors spend too much time and money building their client roster and industry reputation to see it rapidly dissolve due to a service provider error. Unfortunately, this is sometimes the high price investment advisors pay for insufficient service provider management.

Prevent costly mistakes with vendor management

Advisors and other investment management professionals can limit the risk of costly vendor mistakes with vendor management (also known as third-party risk management (TPRM)). Vendor management is the process firms use to manage third-party risk. That’s the risk that a third party, like an outsourced vendor, won’t perform as expected.  

Let’s take a look at four key steps of vendor management: 

1. Planning and risk assessment 
2. Due diligence 
3. Contract negotiation 
4. Ongoing monitoring

1. Planning and Risk Assessment

Vendor management begins by asking what your firm hopes to gain by outsourcing to a vendor and then considering the potential risks (i.e., what could go wrong). Not every vendor poses the same amount of risk. The water bottle delivery service presents minimal risk because they are unlikely to pose a material risk to your business. Anyone with access to your client data who could damage your reputation is a high-risk vendor (sometimes called a critical vendor). 

High-risk vendors require more oversight and controls to ensure they don't pose undue risk to your operations or practice.

2. Due Diligence

The next step is to vet potential vendors thoroughly. This involves examining their financial health, track record, available resources, business practices, and the robustness of their internal governance. You can find this information from documents provided by the vendor or external sources, including media reports and legal filings that might highlight regulatory issues.  

You don’t want to choose a vendor only to have them go out of business and leave you in the lurch or to discover they have legal problems or weak cybersecurity. Due diligence should correlate with risk. The greater the risk a potential vendor poses, the more due diligence is needed.

3. Contract Negotiation

Contract negotiations aren’t just about pricing. They outline terms and conditions that can help or harm your firm. You want to ensure any contract you sign includes controls that protect your firm from third-party vendor risk. 

Contracts must clearly delineate the obligations and rights of all involved parties and include clauses that cover confidentiality, conflict resolution, subcontracting, and data security, among others. They should give you the right to review documents relating to compliance and security testing. They should ensure the existence of business continuity and disaster recovery plans and limit the ability of a vendor to outsource services without your permission.  
 
Make sure you review your contracts, highlighting critical terms, including pricing, expiration, and autorenewal dates.

4. Ongoing Monitoring

Due diligence is not a one-and-done event. It should be an ongoing process.  

Just like the markets, vendor circumstances change. A smart investment yesterday may not be a smart investment today. A lawsuit might threaten its financial stability. A cyberattack could have led to a breach of your data. Maybe your clients are complaining your online platform is slow.  

Continual due diligence and monitoring help you identify when risk increases. Then you can decide to take steps to mitigate risk by adding more controls, enforcing penalties if a vendor isn’t living up the contractual agreement, or even seeking out a new vendor. 

Employing real-time monitoring for cybersecurity threats is also advisable to ensure continued alignment and security in the partnership.

What you need in a service provider management solution

Without a program for managing service provider risk and performance, investment advisors set themselves up for failure. 

Lacking the proper tools to anticipate and proactively respond to issues with service providers, RIAs and broker-dealers expose themselves to lawsuits, regulatory penalties, expensive remediations, and dissatisfied clients.

What Wealth Management Firms Should Look for in a Vendor Management Solution

Third-party risk management software for investment advisors should include: 

Intelligent contract management. Service provider contracts are notoriously vague, with hidden fees and indemnity clauses buried deep in obscure provisions. Intelligent contract assistants (with some powered by artificial intelligence (AI)) can help you extract and pinpoint the most important contract terms and provisions, empowering you to negotiate better terms and pricing. 

Customizable service provider risk controls. Service providers require different documentation, oversight, and third-party risk controls depending on the criticality of the function they perform. If you don’t have a centralized system for risk scoring and documentation management for individual service providers, your likelihood of failing to anticipate an impending problem with a critical service provider skyrockets. 

Cyber monitoring. When a third-party data breach occurs, you’re already in a bad spot. Continuous service provider cyber monitoring tracks publicly available information, including information on the dark web, instantly alerting you of possible data breaches and cybersecurity problems with your providers. It gives you the knowledge to respond promptly and lessen the damage from third-party cyber incidents. 

Workflow management. Smaller RIAs and broker-dealers may turn to an advisor to handle service provider relationships. With a dedicated service provider management solution, investment management firms significantly reduce the time it takes to manage third-party relationships. 

As investment management firms outsource more functions to service providers, they need a system for mitigating costly third-party errors that can disrupt and derail their business. Failure to embrace a robust service provider management solution has a high likelihood of coming back to bite you.  

Want Tips for Negotiating Cost-Saving Service Provider Contracts that Protect Your Firm?